Active Directory provides a method for designing a directory structure that meets the needs of your organization. As a result, before installing Active Directory, you should examine your organization's business structure and operations.
Many companies have a centralized structure. Typically, these companies have strong information technology (IT) departments that define and implement the network structure down to the smallest detail. Other organizations, especially large enterprises, are very decentralized. These companies have multiple businesses, each of which is very focused. They need decentralized approaches to managing their business relationships and networks.
With the flexibility of Active Directory, you can create the network structure that best fits your company's needs. Active Directory completely separates the logical structure of the domain hierarchy from the physical structure.
In Active Directory, you organize resources in a logical structure. This enables you to find a resource by its name rather than its physical location. Because you group resources logically, Active Directory makes the network's physical structure transparent to users.
An object is a distinct, named set of attributes that represents a network resource. Object attributes are characteristics of objects in the directory. For example, the attributes of a user account might include the user's first and last names, department, and e-mail address (see Figure 5.8).
Figure 5.8 Active Directory objects and attributes
In Active Directory, you can organize objects in classes, which are logical groupings of objects. For example, an object class might be user accounts, groups, computers, domains, or organizational units (OUs).
Some objects, known as containers, can contain other objects. For example, a domain is a container object.
An OU is a container used to organize objects within a domain into logical administrative groups. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs (see Figure 5.9).
Figure 5.9 Resources organized in a logical hierarchical structure
The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains-each domain can implement its own OU hierarchy. There are no restrictions on the depth of the OU hierarchy. However, a shallow hierarchy performs better than a deep one, so you should not create an OU hierarchy any deeper than necessary.
You can delegate administrative tasks by assigning permissions to OUs.
The core unit of logical structure in Active Directory is the domain. Grouping objects into one or more domains allows your network to reflect your company's organization. Domains share the following characteristics:
A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that share a contiguous namespace (see Figure 5.10).
Figure 5.10 A domain tree
Trees have the following characteristics:
A forest is a grouping or hierarchical arrangement of one or more domain trees that form a disjointed namespace (see Figure 5.11).
Figure 5.11 A forest of trees
Forests have the following characteristics:
In Figure 5.11, microsoft.com and msn.com form a forest. The namespace is contiguous only within each tree.
The physical components of Active Directory, domain controllers and sites, are used to mirror the physical structure of an organization.
A domain controller is a computer running Windows 2000 Server that stores a replica of the domain directory (local domain database). Because a domain can contain one or more domain controllers, each domain controller in a domain has a complete replica of the domain's portion of the directory.
The functions of domain controllers include the following:
In general there should be one domain controller for each domain in each site for authentication purposes. However, authentication requirements for your organization determine the number of domain controllers and their locations.
A site is a combination of one or more IP subnets connected by a highly reliable, fast link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN). When you group subnets on your network, you should combine only those subnets that have fast, cheap, and reliable network connections with one another. Fast network connections are at least 512 kilobits per second (Kbps). An available bandwidth of 128 Kbps and higher is sufficient.
With Active Directory, sites are not part of the namespace. When you browse the logical namespace, you see computers and users grouped into domains and OUs, not sites. Sites contain only computer objects and connection objects used to configure replication between sites.
A single domain can span multiple geographical sites, and a single site can include user accounts and computers belonging to multiple domains.
Active Directory also includes a replication feature. Replication ensures that changes to a domain controller are reflected in all domain controllers within a domain. To understand replication, you must understand domain controllers. A domain controller is a computer running Windows 2000 Server that stores a replica of the domain directory. A domain can contain one or more domain controllers.
Within a site, Active Directory automatically generates a ring topology for replication among domain controllers in the same domain. The topology defines the path for directory updates to flow from one domain controller to another until all receive the directory updates (see Figure 5.12).
Figure 5.12 Replication topology
The ring structure ensures that there are at least two replication paths from one domain controller to another. Therefore, if one domain controller is down temporarily, replication still continues to all other domain controllers.
Active Directory periodically analyzes the replication topology within a site to ensure that it is still efficient. If you add or remove a domain controller from the network or a site, Active Directory reconfigures the topology to reflect the change.
Here are some questions to help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."